Space Shuttle abort modes

Space Shuttle abort modes were procedures by which the nominal launch of the NASASpace Shuttle could be terminated. A pad abort occurred after ignition of the shuttle's main engines but prior liftoff. An abort during ascent that would result in the orbiter returning to a runway or to a lower than planned orbit was called an intact abort, while an abort in which the orbiter would be unable to reach a runway, or any abort involving the failure of more than one main engine, was called a contingency abort. Crew bailout was still possible in some situations where the orbiter could not land on a runway.

The three Space Shuttle Main Engines were ignited roughly 6.6 seconds before liftoff, and computers monitored their performance as they built up thrust. If an anomaly was detected, the engines would be shut down automatically and the countdown terminated before ignition of the Solid Rocket Boosters (SRBs) at T - 0 seconds. This was called a Redundant Set Launch Sequencer (RSLS) abort, and happened five times: STS-41-D, STS-51-F, STS-51, STS-55, and STS-68.[1]

Once the shuttle's SRBs were ignited, the vehicle was committed to liftoff. If an event requiring an abort happened after SRB ignition, it was not possible to begin the abort until after SRB burnout and separation about two minutes after launch. There were five abort modes available during ascent, divided into the categories of intact aborts and contingency aborts.[2] The choice of abort mode depended on how urgent the situation was, and what emergency landing site could be reached. The abort modes covered a wide range of potential problems, but the most commonly expected problem was a SSME failure, causing the vehicle to have insufficient thrust to achieve its planned orbit. Other possible non-engine failures necessitating an abort included multiple auxiliary power unit (APU) failure, cabin leak, and external tank leak (ullage leak).

There were four intact abort modes for the Space Shuttle. Intact aborts were designed to provide a safe return of the orbiter to a planned landing site or to a lower orbit than planned for the mission.

Return To Launch Site (RTLS) was the first abort mode available, and could be selected just after SRB jettison. The shuttle would have continued downrange to burn excess propellant, as well as pitch up to maintain vertical speed in aborts with an SSME failure. After burning sufficient propellant, the vehicle would have pitched all the way around and begun thrusting back towards the launch site. This maneuver was called the Powered Pitcharound (PPA), and was timed to ensure less than 2% propellant remained in the external tank by the time the shuttle's trajectory would bring it back to the Kennedy Space Center. Additionally, the shuttle's OMS and reaction control system (RCS) motors would continuously thrust to burn off excess OMS propellant to reduce landing weight and adjust the orbiter's center of gravity. Just before main engine cutoff, the orbiter would be commanded to pitch nose-down to ensure proper orientation for external tank jettison, since aerodynamic forces would otherwise cause the tank to recontact the orbiter. The SSMEs would cutoff, and the tank would be jettisoned as the orbiter used its RCS to increase separation. Once the orbiter cleared the tank, it would make a normal gliding landing about 25 minutes after lift-off.[3]

Should a second SSME have failed at any point but during PPA, the shuttle would not have been able to make it back to the runway at KSC, but the crew would be able to bail out. A failure of a second engine during the PPA maneuver would have led to loss of control and subsequent loss of crew and vehicle (LOCV). Failure of all three engines as horizontal velocity approached 0 or just before external tank jettison would have also resulted in LOCV.[4]

The CAPCOM would call out the point in the ascent at which an RTLS was no longer possible as "negative return", approximately four minutes after lift-off, when the vehicle had too much velocity to make it back to the launch site. This abort mode was never needed in the history of the Shuttle program. Astronaut Mike Mullane referred to the RTLS abort as an "unnatural act of physics," and many pilot astronauts hoped that they would not have to perform such an abort due to its difficulty.[5]

A Transoceanic Abort Landing (TAL) involved landing at a predetermined location in Africa or western Europe about 25 to 30 minutes after lift-off.[6] It was to be used when velocity, altitude, and distance downrange did not allow return to the launch point via RTLS. It was also to be used when a less time-critical failure did not require the faster but possibly more stressful RTLS abort.

A TAL abort would have been declared between roughly T+2:30 minutes (2 minutes and 30 seconds after liftoff) and Main Engine Cutoff (MECO), about T+8:30 minutes. The Shuttle would then have landed at a predesignated airstrip across the Atlantic. The last four TAL sites until the Shuttle's retirement were Istres Air Base in France, Zaragoza and Morón air bases in Spain, and RAF Fairford in England. Prior to a Shuttle launch, two sites would be selected based on the flight plan, and were staffed with standby personnel in case they were used. The list of TAL sites changed over time and depended on orbital inclination.

Preparations of TAL sites took four to five days and began one week before launch, with the majority of personnel from NASA, the Department of Defense and contractors arriving 48 hours before launch. Additionally, two C-130 aircraft from the Manned Space Flight support office from the adjacent Patrick Air Force Base, including eight crew members, nine pararescuemen, two flight surgeons, a nurse and medical technician, along with 2,500 pounds (1,100 kg) of medical equipment were deployed to either Zaragoza, Istres, or both. One or more C-21 or a C-12 aircraft would also be deployed to provide weather reconnaissance in the event of an abort with a TALCOM, or astronaut flight controller aboard for communications with the shuttle pilot and commander.[6]

This abort mode was never needed during the entire history of the space shuttle program.

An Abort Once Around (AOA) was available were the shuttle unable to reach a stable orbit but had sufficient velocity to circle the earth once and land, about 90 minutes after lift-off. The time window for using the AOA abort was very short: just a few seconds between the TAL and ATO abort opportunities. Therefore, taking this option was very unlikely.

This abort mode was never needed during the entire history of the space shuttle program.

An Abort to Orbit (ATO) was available when the intended orbit could not be reached but a lower stable orbit was possible. This occurred on mission STS-51-F, which continued despite the abort to a lower orbit. The Mission Control Center in Houston (located at Lyndon B. Johnson Space Center) observed an SSME failure and called "Challenger--Houston, Abort ATO. Abort ATO".

The moment at which an ATO became possible was referred to as the "press to ATO" moment. In an ATO situation, the spacecraft commander rotated the cockpit abort mode switch to the ATO position and depressed the abort push button. This initiated the flight control software routines which handled the abort. In the event of lost communications, the spacecraft commander could have made the abort decision and taken action independently.

A hydrogen fuel leak in one of the SSMEs on STS-93 resulted in a slight underspeed at MECO, but was not an ATO and the shuttle achieved its planned orbit; if the leak had been more severe, it might have necessitated an ATO, RTLS, or TAL abort.

TAL was the preferred abort option if the vehicle had not yet reached a speed permitting the ATO option.

AOA would have been only used in the brief window between TAL and ATO options.

RTLS resulted in the quickest landing of all abort options, but was considered the riskiest abort. Therefore it would have been selected only in cases where the developing emergency was so time-critical the other aborts were not feasible, or in cases where the vehicle had insufficient energy to reach the other aborts.

Unlike all previous U.S. crew vehicles, the shuttle was never flown without astronauts aboard. To provide an incremental non-orbital test, NASA considered making the first mission an RTLS abort. However, STS-1 commander John Young declined, saying, "let's not practice Russian roulette."[7]

Contingency aborts involved failure of more than one SSME and would generally have left the orbiter unable to reach a runway.[8] These aborts were intended to ensure the survival of the orbiter long enough for the crew to bailout. Loss of two engines would have generally been survivable by using the remaining engine to optimize the orbiter's trajectory so as to not exceed structural limits during reentry. Loss of three engines could have been survivable outside of certain "black zones" where the orbiter would have failed before bailout was possible.[4] These contingency aborts were added after the destruction of Challenger.

Abort options after STS-51L. Grey zones indicate failures in which the orbiter could remain intact until crew bailout.

Before the Challenger disaster during STS-51-L, ascent abort options involving failure of more than one SSME were very limited. While failure of a single SSME was survivable throughout ascent, failure of a second SSME prior to about 350 seconds would mean loss of crew and vehicle (LOCV), since no bailout option existed. Studies showed an ocean ditching was not survivable. Furthermore, the loss of a second or third SSME at almost any time during an RTLS abort would have caused a LOCV.

After the loss of Challenger in STS-51-L, numerous abort enhancements were added. With those enhancements, the loss of two SSMEs was now survivable for the crew throughout the entire ascent, and the vehicle could survive and land for large portions of the ascent. The struts attaching the orbiter to the external tank were strengthened to better endure a multiple SSME failure during SRB flight. Loss of three SSMEs was survivable for the crew for most of the ascent, although survival in the event of three failed SSMEs before T+90 seconds was unlikely due to design loads being exceeded on the forward orbiter/ET and SRB/ET attach points and still problematic at any time during SRB flight due to controlability during staging.[4]

A particular significant enhancement was bailout capability. This is not ejection as with a fighter plane, but an Inflight Crew Escape System[9] (ICES). The vehicle was put in a stable glide on autopilot, the hatch was blown, and the crew slid out a pole to clear the orbiter's left wing. They would then parachute to earth or the sea. While this may at first appear only usable under rare conditions, there were many failure modes where reaching an emergency landing site was not possible yet the vehicle was still intact and under control. Before the Challenger disaster, this almost happened on STS-51-F, when a single SSME failed at about T+345 seconds. The orbiter in that case was also Challenger. A second SSME almost failed due to a spurious temperature reading; fortunately the engine shutdown was inhibited by a quick-thinking flight controller. If the second SSME failed within about 69 seconds of the first, there would have been insufficient energy to cross the Atlantic. Without bailout capability the entire crew would be lost. After the loss of Challenger, those types of failures were made survivable. To facilitate high altitude bailouts, the crew began wearing the Launch Entry Suit and later the Advanced Crew Escape Suit during ascent and descent. Before the Challenger disaster, crews for operational missions wore only fabric flight suits.

Another post-Challenger enhancement was the addition of East Coast Abort Landings (ECAL). High-inclination launches (including all ISS missions) were now able to reach an emergency runway on the East Coast of the United States under certain conditions.

An ECAL abort was similar to RTLS, but instead of landing at the Kennedy Space Center, the orbiter would attempt to land at another site along the east coast of North America. Various emergency landing sites extended from South Carolina and Bermuda up into Newfoundland, Canada. ECAL was a contingency abort that was less desirable than an intact abort, primarily because there was so little time to choose the landing site and prepare for the orbiter's arrival. The ECAL emergency sites were not as well equipped to accommodate an orbiter landing as those prepared for an RTLS abort.[10]

Numerous other abort refinements were added, mainly involving improved software for managing vehicle energy in various abort scenarios. These enabled a greater chance of reaching an emergency runway for various SSME failure scenarios.

An ejection escape system, sometimes called a launch escape system, had been discussed many times for the shuttle. After the Challenger and Columbia losses, great interest was expressed in this. All previous US manned space vehicles had launch escape systems, although none was ever used.

Modified Lockheed SR-71ejection seats were installed on the first four shuttle flights (all two-man missions aboard Columbia) and removed afterwards. Ejection seats were not further developed for the shuttle for several reasons:

Very difficult to eject seven crew members when three or four were on the middeck (roughly the center of the forward fuselage), surrounded by substantial vehicle structure.

Limited ejection envelope. Ejection seats only work up to about 3,400 miles per hour (3,000 kn; 5,500 km/h) and 130,000 feet (39,624 m). That constituted a very limited portion of the shuttle's operating envelope, about the first 100 seconds of the 510 seconds powered ascent.

No help during Columbia-type reentry accident. Ejecting during an atmospheric reentry accident would have been fatal due to the high temperatures and wind blast at high Mach speeds.

[I]n truth, if you had to use them while the solids were there, I don’t believe you’d—if you popped out and then went down through the fire trail that’s behind the solids, that you would have ever survived, or if you did, you wouldn't have a parachute, because it would have been burned up in the process. But by the time the solids had burned out, you were up to too high an altitude to use it. ... So I personally didn't feel that the ejection seats were really going to help us out if we really ran into a contingency.[11]

The Soviet shuttle Buran was planned to be fitted with the crew emergency escape system, which would have included K-36RB (K-36M-11F35) seats and the Strizh full-pressure suit, qualified for altitudes up to 30,000 m and speeds up to Mach 3.[12] Buran flew only once in fully automated mode without a crew, thus the seats were never installed and were never tested in real human space flight.

Like ejection seats, capsule ejection for the shuttle would have been difficult because no easy way existed to exit the vehicle. Several crewmembers sat in the middeck, surrounded by substantial vehicle structure.

Cabin ejection would work for a much larger portion of the flight envelope than ejection seats, as the crew would be protected from temperature, wind blast, and lack of oxygen or vacuum. In theory an ejection cabin could have been designed to withstand reentry, although that would entail additional cost, weight and complexity. Cabin ejection was not pursued for several reasons:

Major modifications required to shuttle, likely taking several years. During much of the period the vehicle would be unavailable.

Cabin ejection systems are much more complex than ejection seats. They require devices to cut cables and conduits connecting the cabin and fuselage. The cabin must have aerodynamic stabilization devices to avoid tumbling after ejection. The large cabin weight mandates a very large parachute, with a more complex extraction sequence. Air bags must deploy beneath the cabin to cushion impact or provide flotation. To make on-the-pad ejections feasible, the separation rockets would have to be quite large. In short, many complex things must happen in a specific timed sequence for cabin ejection to be successful, and in a situation where the vehicle might be disintegrating. If the airframe twisted or warped, thus preventing cabin separation, or debris damaged the landing airbags, stabilization, or any other cabin system, the occupants would likely not survive.

Added risk due to many large pyrotechnic devices. Even if not needed, the many explosive devices needed to separate the cabin entail some risk of premature or uncommanded detonation.

Cabin ejection is much more difficult, expensive and risky to retrofit on a vehicle not initially designed for it. If the shuttle was initially designed with a cabin escape system, that might have been more feasible.

Cabin/capsule ejection systems have a patchy success record, likely because of the complexity.

Sensor detected higher than acceptable readings of the discharge temperature of the high pressure oxidizer turbopump in SSME #3. Endeavour rolled back to VAB to replace all 3 engines. A test firing at Stennis Space Center confirmed a drift in the fuel flow meter which resulted in a slower start in the engine which caused the higher temperatures.

Pre-determined emergency landing sites for the Orbiter were determined on a mission-by-mission basis according to the mission profile, weather and regional political situations. Emergency landing sites during the shuttle program included:[14][15]Sites in which an Orbiter has landed are listed in bold, but none is an emergency landing.

Other locations In the event of an emergency deorbit that would bring the Orbiter down in an area not within range of a designated emergency landing site, the Orbiter was theoretically capable of landing on any paved runway that was at least 3 km (9,800 ft) long, which included the majority of large commercial airports. In practice, a US or allied military airfield would have been preferred for reasons of security arrangements and minimizing the disruption of commercial air traffic.